19
Risk Assessment During Breach
Investigation
Upon review of [the] risk analysis and risk mitigation plan, OCR
determined that it was not a comprehensive risk analysis as it
was limited in its scope to select technology. Specifically, the
risk analysis report did not include certain critical assets,
such as networks (wired, wireless, and cloud based),
facilities, core IT and security infrastructure, end user and
mobile devices, medical devices and instrumentation, and
associated security controls (logical, physical, and
environmental). Also, it should be noted that while the risk
analysis report identifies more than 366 threats and known
vulnerabilities, it is based on interviews with business owners
and technology administrators.
Text from an OCR closure letter.